PT-2018-15223 · Cloudbees+1 · Jenkins

Thomas De Grenier De Latour

Published

2018-08-23

Updated

2022-05-13

CVE-2018-1999044

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.137 and earlier Jenkins versions 2.121.2 and earlier

Description A denial of service issue exists due to a form validation problem in CronTab.java for cron expressions. This issue can cause a request handling thread to enter an infinite loop when certain rare dates are entered, potentially resulting in a denial of service. Attackers with Overall/Read permission can exploit this issue.

Recommendations For Jenkins versions 2.137 and earlier, update to a version that fixes the Cron expression form validation issue to prevent infinite loops. For Jenkins versions 2.121.2 and earlier, update to a version that fixes the Cron expression form validation issue to prevent infinite loops. As a temporary workaround, consider restricting access to the cron expression form validation to minimize the risk of exploitation.

Fix

DoS

Infinite Loop

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-835

Related Identifiers

CVE-2018-1999044

GHSA-8QPF-FV36-H4R8

Affected Products

Jenkins

PT-2018-15223 · Cloudbees+1 · Jenkins

CVE-2018-1999044

Weakness Enumeration

Related Identifiers

Affected Products

References · 6